Cyber Essentials, a minimum baseline for all businesses

This month, the government approved Cyber Essentials scheme receives the biggest overhaul to date. The significant changes to the technical requirements in the scheme reflect the security challenges in today's digital world.

How does the Cyber Essentials scheme work?
The government approved scheme includes five technical controls that help protect organisations of all sizes from the majority of commodity cyber attacks. A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security, it is now widely considered the minimum level of cyber security for all businesses.

Cyber Essentials works in the format of a verified self-assessment questionnaire. Organisations log onto a secure portal to answer a series of questions that address the scope of the assessment, their employees, devices and work location. They will also answer questions that address the five core controls, which include user access control, secure configuration, security update management, firewalls and routers, and malware protection.

A senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers.

The preparation and process of getting certified to Cyber Essentials will give an organisation a clear picture of their cyber security and an opportunity to improve.

For organisations that require a higher level of assurance, Cyber Essentials Plus starts with the Cyber Essentials questionnaire but the technical controls are then physically audited to verify that they are in place. SMEs based in the UK with a turnover of less than £20 million who certify their whole organisation to Cyber Essentials are awarded free cyber security insurance.

The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the Government approved minimum level of cyber security in place and can be trusted with their data and business. Many contracts stipulate Cyber Essentials as a pre-requisite.

The scheme was introduced by the UK Government in 2014, as a way to help make the UK the safest place to do business. The environment that the scheme operates in has changed dramatically in the last seven years and, to reflect these changes, some of the technical control requirements were updated in January 2022 in line with recommended security updates. The pricing of Cyber Essentials has also changed and will adopt a new tiered structure based on organisation size.

While micro-organisations will continue to pay the current £300 assessment charge, small, medium and large organisations will pay a little more, on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations.

The main technical changes
In recent years, business cyber security has been further challenged by the wide adoption of cloud services and remote working, the move to home working and use of privately owned devices. Many of the Cyber Essentials technical requirement changes reflect this new environment.

Home working devices are in scope, but most home routers are not.

Anyone working from home for any amount of time is classified as a 'home worker'. The devices that home workers use to access organisational data and services, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.

Home routers that are provided by Internet Service Providers or by the home worker are now out of scope for the assessment while Cyber Essentials firewall controls apply to the home worker's device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope for the assessment and must have the Cyber Essentials controls applied to it.

Why the change?
Home working or hybrid working (coming into the office for only some of the working week) is now normal practice for most businesses and is unlikely to change back in the short term. It is difficult to impose rules onto multiple employee's private home routers unless it is provided by the organisation.

All cloud services are in scope
Cloud services are to be fully integrated into the scheme. If an organisation's data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented on that service. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user actually implement the control depends on the type of cloud service but the user has a responsibility to check that the controls are put in place.

Why the change?
People commonly assume that cloud services are secure out of the box, but this is not the case. It is necessary for users to take responsibility for the services they use and spend time reading up and checking their cloud services and applying the Cyber Essentials controls where possible. Previously, Platform as a Service (PaaS) and Software as a Service (SaaS) were not in scope for Cyber Essentials, but the new requirements now insist that organisations take responsibility for user access control and the secure configuration of their services which would include securely managing access to the different administration accounts and blocking accounts that they do not need. Where the cloud service is in charge of implementing one or more of the controls (eg security update management or anti-malware), the applicant organisation has the responsibility to seek evidence that this is done to the required standard.